Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 2 - 8 March
Meta, Google and TikTok 2FA codes exposed
It was recently reported that an exposed database from Asian company YX International revealed unique security codes for Facebook, Google and TikTok accounts, among others. The passwordless database allowed access to sensitive data by using only a web browser and entering the public IP address.
Security researcher Anurag Sen discovered the leak and shared the details with TechCrunch. The database reportedly contained monthly records going back to July 2023, including SMS messages with access codes and password reset links. TechCrunch, for its part, notified YX International of the leak, who addressed it by securing access. Although YX International claimed that the server did not store access logs, they did not disclose how long the database was exposed. Also, the affected companies, such as Meta, Google and TikTok, have not commented on the incident.
Two 0-day vulnerabilities in Apple patched
Apple has released emergency security updates to address two 0-day vulnerabilities in iOS that have been actively exploited. The vulnerabilities, identified as CVE-2024-23225 and CVE-2024-23296, affect several iPhone and iPad models. The first vulnerability is a kernel memory corruption flaw, while the second is an RTKit memory corruption flaw.
Users are advised to update their devices to iOS 17.4, iPadOS 17.4, iOS 16.76 and iPad 16.7.6. In addition, Apple has fixed a privacy issue related to sensitive location data, CVE-2024-23243, and an issue in Safari private browsing, CVE-2024-23256.
Kimsuky APT exploits ScreenConnect vulnerabilities to deploy malware
The North Korean group Kimsuky is exploiting the recently patched ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709, with CVSSv3 of 8.4 and 10 respectively, to deploy the ToddleShark malware. According to Vulnera, this APT (Advanced Persistent Threat), also known as Thallium and Velvet Chollima, would be employing this new malware with polymorphic characteristics for espionage purposes.
ToddleShark appears to be a variant of other backdoors employed by the group, such as BabyShark and ReconShark, and has the ability to obtain persistence through scheduled tasks, avoid detection through the use of Microsoft binaries, and reduce the defenses of the compromised system by modifying the registry. ToddleShark also encrypts information obtained in Privacy Enchanced Mail (PEM) certificates and exfiltrates it to Kimsuky's C2 infrastructure.
Controversy over seizure of BlackCat (ALPHV) website
The BlackCat (ALPHV) ransomware gang's website has been seized again, apparently with the cooperation of law enforcement. However, some experts believe that ALPHV has used a banner from a previous seizure and orchestrated a fake takedown to distract attention while absconding with funds generated by its affiliates.
In February 2024, healthcare technology company Change Healthcare suffered an attack and paid a ransom of $22 million, shortly after which ALPHV affiliate accounts were locked, and the threat actor put the ransomware source code up for sale. Days later the seizure banner appeared on its website, raising doubts about the authenticity of the seizure. In fact, according to Recorded Future, both the US Department of Justice and the UK's National Crime Agency and Europol have denied shutting down ALPHV's infrastructure.
TeamCity Vulnerability Actively Exploited
JetBrains recently reported two high criticality vulnerabilities in its TeamCity product that were identified as CVE-2024-27198 and CVE-2024-27199, CVSSv3 of 9.8 and 7.3 according to vendor respectively. However, once they were made public, malicious actors have started to exploit the CVE-2024-27198 vulnerability to perform operations against those vulnerable assets.
Security researchers have warned that Jasmin ransomware is being distributed and hundreds of new users are being created on unpatched instances. According to the vulnerability search engine LeakIX, they estimate that more than 1,700 TeamCity servers, mainly geolocated in Germany, the USA and Russia, have not been patched and that, of these, 1,440 have been compromised. JetBrains recommends its users to update to the latest version to fix the security flaws.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
